yet still (http://img542.imageshack.us/i/113v.jpg/) people are using ports that should be closed.
i am quite certain this is done by using torrents.
also i installed a dnsspoofer which blocks all url's containing the word *tracker* so torrents should be blocked by pf ánd by dnsspoof..

Still on that OpenBSD 4.6 Frankensystem of yours, eh? I can tell from your "nat" rules, which don't exist in newer releases.

The most recent release of this OS is 4.9, and support of 4.6 ended with the release of 4.8 more than half a year ago. Only the most recent release and its immediate predecessor are supported.

With a quick glance at this, it looks like your problem may be your improper use of a quoted macro variable. Try:

# pfctl -s rules

To see what rules are actually produced by your pf.conf file.

Recommendation: Do not post real internet addresses here that may give an indication of your actual internet address. This forum is open to the public. Feel free to edit your post accordingly, and redact 195.x.x.x addresses, for example.

yeah i am not easy to control a 60 people network on a 4mbit line tho..

here's the output

Code:

# pfctl -s rules
pass in quick on lo0 inet from 192.168.2.1 to any flags S/SA keep state
pass in quick on lo0 inet from 127.0.0.1 to any flags S/SA keep state
pass out quick on lo0 inet from 192.168.2.1 to any flags S/SA keep state
pass out quick on lo0 inet from 127.0.0.1 to any flags S/SA keep state
pass out quick on rl0 inet proto tcp from any to 192.168.2.1 flags S/SA keep state
block drop log all
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 195.122.131.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 62.67.50.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 212.162.2.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 62.140.7.0/24
block drop in quick on rl0 inet proto tcp from 192.168.2.0/24 to 130.117.156.250
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to 192.168.2.1 port = 667 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to 127.0.0.1 port = 667 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = ssh flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = www flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = https flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = domain flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = auth flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 1863 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = ftp flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = ftp-data flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = smtp flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = pop3 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = imap flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = smtps flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = imaps flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = pop3s flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 3724 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 6112 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 1119 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 1700 flags S/SA keep state
pass in quick on rl0 inet proto tcp from 192.168.2.0/24 to any port = 25565 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = ssh flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = www flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = https flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = domain flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = auth flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 1863 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = ftp flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = ftp-data flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = smtp flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = pop3 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = imap flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = smtps flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = imaps flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = pop3s flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 3724 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 6112 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 1119 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 1700 flags S/SA keep state
pass out quick on dc0 inet proto tcp from 192.168.0.2 to any port = 25565 flags S/SA keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to DNSIP port = domain keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to DNSIP2 port = domain keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port 27000:27015 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 4380 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 1500 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 3005 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 3101 keep state
pass in quick on rl0 inet proto udp from 192.168.2.0/24 to any port = 28960 keep state
pass out quick on dc0 inet proto udp from 192.168.0.2 to 195.238.2.21 port = domain keep state
pass out quick on dc0 inet proto udp from 192.168.0.2 to 195.238.2.22 port = domain keep state
pass in quick on rl0 inet proto icmp from 192.168.2.0/24 to any icmp-type echoreq keep state
pass out quick on rl0 inet proto icmp from 192.168.2.0/24 to any icmp-type echoreq keep state

All of your filter rules are "quick" -- excepting your one block log all for default deny. The first matching quick rule will win.

You have no inbound rules on dc0, except what may come from stateful processing of its outbound rules.

You do not have unlimited ports open. Your "test" that you posted may not have been run externally, or not from the right subnet, or, you have other NAT translations ahead of this OpenBSD box, affecting port responses seen by the testing platform.

this could be the best way, but here's my situation:
I am in a student house, lots of 'I don't care' people here, who 'abuse' the internet.

I myself am a student who likes to use the internet for browsing, fun, and school, also for downloading but at night when nobody needs the internet. The housekeeper allowed me to install a server and operate it (by using putty, so no physical access) to control the internet, since every year there are problems with students not obeying the 'rules' although everyone is clearly informed (every year there are multiple meetings with all students, and the network/internet subject is treated there too).
So, we could state that everyone is well educated about the topic. This doesn't help, so you talk about punishing: I cannot disconnect anyone physically from the network, nor do I have the time to monitor the internet traffic, let alone analyse it.
Blocking legitimate traffic: House rules state the internet is used only for school purposes (which of course is very outdated, but it's in the rules). Also since I have access to the server through putty, I can open any port I want, at any time. When I first installed the server people came to me about applications not working, e-mail etc., all problems which have been solved by now.

I really understand your advice and I appreciate it, also would apply it if I had the correct means to do so. Furthermore, there's more people who appreciate the current policy then those who dislike it!

The problem I spoke of in my first post was that someone was generating a lot of upload traffic, which severely slowed down the network. I spoke to this person in the meantime, and he said it was not a torrent but a problem with dropbox (which actually doesnt really change the core of the problem). I believe he was speaking the truth because he supports the server-thingy and supports me too.

@jggimi:
- the quick identifier was meant for every rule, also the block is the first rule (after the nat rules) so it shouldn't make any difference removing it
- dc0 is the 'outside' network which leads to the router/modem and eventually internet. should i apply any rules? block all applies to this network too, correct? unless stateful connections are opened, as you mentioned.
- about the nat rules: yes, current topology is: pc's - (192.168.2.1/24) - openbsd -(192.168.0.1/24) - router/modem - (isp subnet) - internet
so there's twice a nat, maybe there could be the issue?

You should not remove the block all -- it provides a "default deny" rule.

Keep in mind: 1) If a "quick" rule is matched, that rule wins. All PF analysis stops right there, with that pass or block. 2) If a rule does not have "quick", the last rule to match wins. Your block all does not have quick, and it will always match.

-----------------------

Test your network firewall from OUTSIDE the net. Your test, conducted from the inside, was against 192.168.2.113. I assume from somewhere else on your 192.168.2.x subnet. Not a valid test, therefore.

You may want to add "log" options to all of your rules, so you can log those things you permit as well as those you deny for later analysis with netstat(1).